After the networks are configured based on security principles, regular review and maintenance are needed.
To secure local and remote access to your systems, follow these guidelines:
Limit remote configuration to specific IP addresses using SSH instead of Telnet. Telnet passes user names and passwords in clear text, potentially allowing everyone on the local area network (LAN) segment to see login credentials. Set a strong password for SSH.
Use version 3 of Simple Network Management Protocol (SNMP) to provide secure transmissions. Earlier versions of SNMP are not secure and transmit authentication data in unencrypted text. SNMPv3 uses encryption to provide a secure channel as well as individual user names and passwords.
Change the default SNMP community string to a strong community string if SNMPv1 or SNMPv2 is necessary. Some products have PUBLIC set as the default SNMP community string. Attackers can query a community to draw a very complete network map and possibly modify management information base (MIB) values.
Always log out after using the system controller if the system controller uses a browser interface.
Enable necessary network services and configure these services securely. Disable unnecessary network services, such as Transmission Control Protocol (TCP) or Hypertext Transfer Protocol (HTTP).
Use LDAP security measures when using LDAP to access the system.
Create a banner message that appears at login to state that unauthorized access is prohibited. You can inform users of any important policies or rules. The banner can be used to warn users of special access restrictions for a given system, or to remind users of password policies and appropriate use.
Use access control lists to apply restrictions, where appropriate.
Set time-outs for extended sessions and set privilege levels.
Use authentication, authorization, and accounting features for local and remote access to a switch.
Use these network services in very secure environments as they are secured by certificates and other forms of strong encryption to protect the channel:
LDAP/SSL (Lightweight Directory Access Protocol/Secure Socket Layer)
Use these network services on private, secure networks where there are no suspected malicious users:
RADIUS (Remote Authentication Dial In User Service)
TACACS+ (Terminal Access Controller Access-Control System)
Use the port mirroring capability of the switch for intrusion detection system (IDS) access.
Implement port security to limit access based upon a MAC address. Disable auto-trunking on all ports.
For more information about network security, refer to the Oracle ILOM Security Guide, which is part of the Oracle ILOM documentation library. You can find the Oracle ILOM documentation at: